Skip to main content

Analysis | The Cybersecurity 202: Super Tuesday will be big test for security of Los Angeles County's new voting machines

By Joseph Marks

Voters prepare their ballots in voting booths during early voting for the California presidential primary election at an L.A. County 'vote center' on March 1, 2020 in Los Angeles, California. (Photo by Mario Tama/Getty Images)
Today’s Super Tuesday contest will mark a critical test for the brand new voting machines that Los Angeles County had custom built in the hopes voting could be easy and accessible for its 5.2 million residents.
But as security concerns persist, it may also be judgment day for the strategy to try to wrest control of voting technology from the stranglehold of a handful of major vendors experts say can't be trusted in an era of Russian hacking.
The county poured $280 million into the machines, a rare example of a system not built by any of the three companies that control more than 90 percent of the U.S. voting machine market, as my colleague Neena Satija and I report. The county even planned to offer its software, which produces ballots with paper records in more than a dozen languages, free to other jurisdictions that also wanted to break free of the big vendors.
Yet an official review contracted by California’s top election office in December uncovered numerous digital and physical flaws and sparked fears among security advocates that the vote could be compromised.
“We may be witnessing something like the emperor’s new clothes,” Susan Greenhalgh, vice president of policy at the National Election Defense Coalition advocacy group, told us. “We’ve been told that this is so great and so expensive and so fabulous for the past 10 years. And when it actually had to see the light of day and get scrutinized by some independent testers, it didn’t come close to meetingexpectations.”
The debut of the new machines in L.A. was especially enticing since states and counties across the country are struggling to figure out the best way to protect elections against foreign interference – and how to spend their state taxpayer dollars and federal assistance on technology as security advocates warned the old guard of voting machine vendors isn't transparent or nimble enough to guarantee security.
But the poor report card for the effort by the largest county in the nation, with massive resources, may have them questioning whether it’s worth going this route.
An image of the ballot-marking device developed by Los Angeles County.
The security problems – which the county’s Registrar of Voters Dean Logan told us were all remedied or mitigated before today’s primary contest – include a flaw that could allow hackers to insert malicious software into vote-tallying machines using a USB drive and inadequate physical security around both the voting machines and boxes used for transferring ballots.
The machines, dubbed Voting Solutions for All People or VSAP, also lack full-disk encryption – a cybersecurity gold standard – that won’t be added before 2021, officials said. And there’s no word on when the county will release its software code to other jurisdictions that want to follow its lead, though Logan told us that’s still the plan.
The concerns come as top government officials warn that Russia and other U.S. adversaries remain eager to undermine the 2020 election even though they haven’t yet identified “any activity designed to prevent voting or change votes.”
Officials renewed those warnings yesterday with a joint statement from top intelligence, law enforcement and cybersecurity officials sounding an alarm about adversaries’ efforts to “spread false information and propaganda about political processes and candidates on social media in hopes to cause confusion and create doubt in our system.”
Logan, who led development of the system, defended it in an interview, saying the issues critics raise are to be expected for a bold system that was built from scratch.
“Given the time frame and the dynamics that we had to work under, I don’t think it’s particularly surprising or shocking,” he said. “It’s an entirely new and innovative way to deploy a voting system, and it’s more complex and challenging than any other election jurisdiction in the country.”
He also accused critics of reflexively attacking the system because it’s new, adding that “that’s why we’ve been stuck for decades on the limited voting systems we have in this country.”
Indeed, the system has become fodder for critics of ballot-marking devices – a category of touch screen voting machines like the VSAP that also produce paper ballots for voters to review. BMDS have become far more common since 2016 when election officials across the nation shifted to paper-based voting systems that are more secure against hacking – but many cybersecurity experts say they’re less secure than hand-marked paper ballots.
L.A. County has made a number of fixes ahead of today's primary. In addition to patching vulnerabilities, the county increased training for poll workers and voter education, and it has placed tamper-evident seals and protective covers on some equipment.
The secretary of state’s office also required the county to provide a paper ballot option for voters who don’t want to use the new machines. But the paper ballots do not list the candidates or the specific races, meaning voters must write all of their choices in by hand, raising the possibility of ambiguous responses that could confuse election results.
L.A. County began the process of replacing its antiquated legacy voting machines back in 2009 – long before the election world was upended by Russia’s 2016 hacking and disinformation operation, which included digitally probing voting systems across the country and penetrating databases in Illinois and at least two Florida counties.
The county’s development contract with its vendor Smartmatic, however, promised that California’s cybersecurity and accessibility standards for voting systems – some of the strictest in the nation – would be “woven directly into the DNA” of the new system. That didn’t happen, according to the report commissioned by the California secretary of state’s office and conducted by the consulting firm Freeman, Craft, McGregor Group.
In addition to the digital and physical security concerns, the report highlighted a messy ballot design that requires voters to scroll through multiple pages to review all the candidates for some races. That has already prompted a lawsuit from the city of Beverly Hills, which says it’s unfair to candidates on the second page.
“It’s a great concept, but it has a fatal flaw in that it does not provide the electorate with an objective view of the election,” Julian Gold, a Beverly Hills City Council member who will appear on the ballot, said in an interview. “When was the last time you [got] to Page 2 of a Google search?”
Here’s a full rundown on what to expect on Super Tuesday from my colleagues Amy Gardner and Elise Viebeck.


An “I Voted” sign points to a polling station. (Richard Vogel/AP)
PINGED: At least 50 election-related websites for counties and towns voting today have security problems that make them especially vulnerable to cyberattacks, a review by Jack Gillum at ProPublica found. The sites are in districts that serve about 2 million voters. The vulnerabilities, which include outdated software and poor encryption, raise concerns that Russian hackers could sow chaos by changing election night tallies or taking sites offline during critical reporting periods.  
Several localities said they would fix their websites after ProPublica contacted them. But others said they had no plans to make fixes before today’s primaries.
That includes Richmond, the Virginia capital that represents more than 153,000 voters, which is still running on a 2003 version of Microsoft’s Windows operating system that the company is no longer issuing routine patches for. Richmond officials said they’re still getting periodic updates from Microsoft meant to plug major security holes.
“We are absolutely prepared to protect the integrity of our elections and have taken significant steps to do so,” Richmond spokesman Jim Nolan said.
None of the election offices contacted by ProPublica reported that their sites had been hacked. But U.S. intelligence agencies warn foreign adversaries are eager to compromise the election, and attacking county websites is “in the playbook,” one senior U.S. official told Jack.

A Huawei logo is seen on the side of a building at the headquarters in Shenzhen, China. (Jason Lee/Reuters)
PATCHED: Internal Huawei documents reviewed by Reuters add meat to long-standing charges that the Chinese telecom has violated U.S. sanctions against Iran, Steve Stecklow at Reuters reports.
The new documents relate to a multimillion-dollar Iranian telecommunications project that figures prominently in an ongoing U.S. criminal case against Huawei and its chief financial officer, Meng Wanzhou. The documents, which aren’t cited in the criminal case, could bolster a campaign by U.S. officials to get allies to ban Huawei equipment from their next-generation 5G wireless networks.
Huawei has pushed back against numerous U.S. charges, including that it’s complicit in Chinese government spying and dodged sanctions to sell U.S. equipment to Iranian telecom carriers.
But the new documents  show the company sold more than 300 cases of U.S. computer equipment, including HP goods, to an Iranian telecom provider.
A Huawei spokesman declined to comment, citing the ongoing legal case.

A North Korean flag flies before missiles displayed during a military parade to mark 100 years since the birth of Kim Il Sung in Pyongyang. (Eed Jones/AFP/Getty Images)
PWNED: U.S. prosecutors indicted two Chinese citizens for allegedly helping North Korean hackers launder at least $100 million in stolen virtual currencies, my colleagues Spencer S. Hsu and Ellen Nakashima report. The charges could signal that U.S. officials are turning up the heat on long-suspected Chinese involvement in North Korean hacking operations.
The indictment is the first known case of U.S. officials charging Chinese citizens for aiding North Korean hacking. The Treasury Department also imposed sanctions on the two Chinese men, Tian Yinyin and Li Jiadong, yesterday.
U.S. officials and the United Nations have accused North Korea of stealing bitcoin and other virtual currencies as a way to circumvent global sanctions and fund its renegade nuclear program. U.N. officials estimate North Korean hackers have stolen at least $2 billion for its weapons program by hacking financial institutions and cryptocurrency exchanges in recent years.
Want the latest reporting on the coronavirus? Sign up for “To Your Health: coronavirus” a new Washington Post newsletter that will bring you everything you need to know about the spread of the coronavirus in the U.S. and abroad.


Cybersecurity news from the public sector:

WhatsApp users in Nigeria, Brazil, Pakistan, Ireland and other countries have received a wave of falsehoods about the number of people affected by coronavirus, the way the illness is transmitted and the availability of treatments.
Tony Romm

Outside security researchers alerted the Pentagon about more software vulnerabilities in its networks than ever before, according to statistics released by a Department of Defense unit focused on cyber operations.


Cybersecurity news from the private sector:

Pharmacy chain Walgreens is alerting customers that their prescription data and other information may have been exposed thanks to a flaw in the company’s messaging app.

Two units of cruise operator Carnival Corp disclosed on Monday that they were th...

Beyond the spotlight of the cybersecurity industry’s IPO-fueled paydays and reputation-making research lives the slow burn of daily anxiety. In just about every industry, mental health is overlooked and under-appreciated. But in cybersecurity, “it’s even more stigmatized,” according to psychiatrist Ryan Louie.


Cybersecurity news abroad:

Facebook has removed hundreds of accounts, pages, groups and Instagram accounts originating from India and Egypt for violating Facebook’s policy against foreign or government interference.

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.

In mid-February, country representatives convened at the United Nations to hold the second formal meeting of the Open-Ended Working Group on international cybersecurity


Popular posts from this blog

Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent

By Joseph Marks 13-17 minutes THE KEY President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP) The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn. With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent. About 20 percent of staffers are furloughed at the De

Democrats call for investigation into Trump’s iPhone use after a report that China is listening:Analysis | The Daily 202 I The Washington Post. By James Hohmann _________________________________________________________________________________ President Trump and Chinese President Xi Jinping visit the Great Hall of the People in Beijing last November. (Andrew Harnik/AP) With Breanne Deppisch and Joanie Greve THE BIG IDEA: If Democrats win the House in two weeks, it’s a safe bet that one of the oversight hearings they schedule for early next year would focus on President Trump’s use of unsecured cellphones. The matter would not likely be pursued with anywhere near the gusto that congressional Republicans investigated Hillary Clinton’s use of a private email server during her time as secretary of state. Leaders of the minority party have higher priorities . But Democratic lawmakers made clear Thursday morning that they will not ignore a New York Times report that Trump has refused to stop using iPhones in the White House, despite repeated warnings from U.S. intelligence offici

RTTNews: Morning Market Briefing.-Weekly Jobless Claims Edge Down To 444,000. May 13th 2010

Morning Market Briefing Thu May 13 09:01 2010   Commentary May 13, 2010 Stocks Poised For Lackluster Open Amid Mixed Market Sentiment - U.S. Commentary Stocks are on pace for a mixed start to Thursday's session, as a mostly upbeat jobs report continued to relieve the markets while some consternation regarding the European debt crisis remained on traders' minds. The major index futures are little changed, with the Dow futures down by 4 points. Full Article Economic News May 13, 2010 Weekly Jobless Claims Edge Down To 444,000 First-time claims for unemployment benefits showed another modest decrease in the week ended May 8th, according to a report released by the Labor Department on Thursday, although the number of claims exceeded estimates due to an upward revision to the previous week's data. Full Article May 13, 2010 Malaysia's Decade High Growth Triggers Policy Tightening Malaysia's economy grew at the fastest pace in a decade in